Capstone Privacy Policy

Your privacy is important to us at Capstone. We want to be clear how we use your information, and the ways in which you can protect your privacy.

Our Privacy Policy explains:

  • What information we collect and why we collect it.
  • How we use that information and when we disclose it.
  • How to access and update your information.
  • The steps we take to protect your information.

This Privacy Policy applies to the information that we obtain through your use of Capstone services, including our website (https://.capstonesystem.com.au), platforms, and web-based tools (collectively the “Services”). Please familiarize yourself with our policies, and if you have any questions contact us at support@capstonesystem.com.au This policy is incorporated into and is subject to the Online Customer Service Agreement.

 

  1. Information We Collect

1.1 Information you provide to us

We collect the following information:

Account and Profile Information: We collect information about you and your company when you register for an account, create or modify your profile, and make purchases through our Services. Information we collect includes your name, username, address, email address, phone number, and payment details. You may provide this information directly through our Services or in some cases another user creating an account on your behalf may provide it. If you provide information (including personal information) about someone else, you confirm that you have the authority to act for them and to consent to the collection and use of their personal information as described in this Privacy Policy.

1.2 Content: We collect and store content that you create, input, submit, post, upload, transmit, or store in the process of using our Services, including information from end users of any application that you develop using our Services and/or that we host on your behalf. Such content may include any personal or other sensitive information submitted using our Services, such as personal health information, and other information such as source code or regulatory compliance materials.

1.3 Other submissions: We collect other data that you may submit to our Services or us directly, such as when you request customer support or communicate with us via email or social media sites.

 

  1. Information we collect from your use of our Services

2.1 Web Logs and Analytics Information: We record certain information and store it in log files when you interact with our Services. This information may include Internet protocol (IP) or other device addresses or ID numbers as well as browser type, Internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, your mobile carrier, and system configuration information. We and our analytics providers also collect and store analytics information when you use our Services to help us improve our Services.

2.2 Cookies and Other Tracking Technologies: We use various technologies to collect information, including cookies that we save to your computer or mobile device. Cookies are small data files stored on your hard drive or in device memory. We use cookies to improve and customize our Services and your experience; to allow you to access and use the Services without re-entering your username or password; and to count visits and understand which areas and features of the Services are most popular. We may also associate the information we store in cookies with personal information you submit while on our Services. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use all aspects of our Services.

 

  1. Information we collect from other sources

3.1 Information from third party services: We may obtain information, including personal information, from third parties such as our partners and service providers, and combine it with other information we collect from you.

3.2 How We Use Information We Collect

We may use the information we collect for a variety of purposes, including to:

  • Provide, operate, maintain, improve, personalize, and promote our Services;
  • Develop new products, services, features, and functionality;
  • Enable you to access and use our Services;
  • Process and complete transactions, and send you related information, including purchase confirmations and invoices;
  • Communicate with you, including responding to your comments, questions, and requests; providing customer service and support; providing you with information about services, including technical notices, updates, security alerts, administrative messages, or advertising or marketing messages; and providing other news or information about us and our select partners;
  • Monitor and analyze trends, usage, and activities in connection with our Services; and
  • Investigate and prevent fraudulent transactions, unauthorized access to our Services, and other illegal activities.

We may also use the information we collect for other purposes about which we notify you.

 

  1. Information Sharing and Disclosures

4.1 We may share your information in the following ways:

With your express consent: We will share your personal information with companies, organizations, or individuals outside of Capstone when we have your consent to do so.

4.2 Your use: When you use our Services, certain features allow you to make some of your content accessible to the public or other users of the Services. We urge you to consider the sensitivity of any information prior to sharing it publicly or with other users.

4.3 Access by your Capstone administrator: Your Capstone account owner may be able to:

  • Access information in and about your Capstone account;
  • Disclose, restrict, or access information that you have provided or that is made available to you when using your Capstone account, including your content; and
  • Control how your Capstone account may be accessed or deleted.

4.4 Service Providers, Business Partners and Others: We may share your information with service providers and other third parties who perform services on our behalf, such as infrastructure, analytics, marketing, and advertising services. We provide your payment information to our service providers for payment processing and verification. Service providers such as analytics providers may collect information about your online activities over time and across different online services when you use our Services.

4.5 Compliance with Laws and Law Enforcement Requests; Protection of Our Rights: We may disclose your information (including your personal information) to a third party if:

  • We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request;
  • To enforce our agreements, policies and terms of service;
  • To protect the security or integrity of Capstone’s products and services;
  • To protect the property, rights, and safety of Capstone, our customers or the public from harm or illegal activities;
  • To respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person; or
  • To investigate and defend ourselves against any third-party claims or allegations.

4.6 Business Transfers: We may share or transfer your information (including your personal information) in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify you of such a change in ownership or transfer of assets by posting a notice on our website.

4.7 Aggregate or Non-identifying Data: We may share aggregate or other non-personal information that does not directly identify you with third parties in order to improve the overall experience of our Services.

 

  1. The Choices You Have With Your Information

5.1 You may decline to share certain personal information with us, in which case we may not be able to provide to you some of the features and functionality of our Services. You may update or correct your personal information at any time by accessing the account settings page on the website or within our platform. You may opt out of receiving promotional communications from Capstone by using the unsubscribe link within each email. Even after you opt out from receiving promotional messages from us, you will continue to receive administrative messages from us regarding the Services.

 

  1. Children’s Privacy

Our Services are not directed to individuals under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact us at support@capstonesystem.com.au

 

  1. International Users

Our Services are hosted in Australia and intended for users located within Australia. If you choose to use the Services from other regions of the world with laws governing data collection and use that may differ from Australian law, then please note that you are transferring your information outside of those regions to Australia for storage and processing. By providing your information, you consent to any transfer and processing in accordance with this Policy.

 

  1. Hosting Security Measures

8.1 Capstone stores all data in Microsoft Azure datacentres within Australia.  Microsoft’s security protocols include:

(a) Assume breach

The guiding principle of Microsoft’s security strategy is to “assume breach.” The Microsoft global incident response team works around the clock to mitigate the effects of any attack against our cloud services. And security is built into Microsoft business products and cloud services from the ground up, starting with the Security Development Lifecycle, a mandatory development process that embeds security requirements into every phase of the development process.

(b) Auditing and logging

Protect data by maintaining visibility and responding quickly to timely security alerts.

(c) Dedicated cybersecurity teams

Microsoft has invested in multiple cybersecurity teams and related facilities to address threats to our customers and our technology ecosystem.

(d) Fighting cybercrime

The Microsoft Digital Crimes Unit (DCU) mission is to provide a safer digital experience for individuals and organizations worldwide by helping to protect vulnerable populations, fight malware, and reduce digital risk.

(e) Protecting your enterprise

The Microsoft Enterprise Cybersecurity Group is a team of world-class architects, consultants, and engineers that works with organizations to help move them to the cloud more securely, modernize their IT platforms, and avoid and mitigate breaches.

Defending against cyberthreats.   The Microsoft Cyber Defense Operations Center is a state-of-the-art facility that brings together security response experts from across the company to help protect, detect, and respond to cyberthreats in real-time—all day, every day.

(f) Setting security policy for a connected world

The Microsoft Cybersecurity Policy Team partners with governments and policymakers around the world, blending technical acumen with legal and policy expertise. By identifying strategic issues, assessing the impacts of policies and regulations, leading by example, and driving groundbreaking research, the Cybersecurity Policy team helps promote a more secure online environment.

(g) Platform Security

Microsoft believes that security doesn’t end in the public cloud. Security needs to be engineered into a system end to end, from the public cloud all the way to the desktop. From the very beginning, Microsoft architected their cloud services platform with multiple levels of security that are virtually and physically isolated. Your data is protected by hardened operating systems and backed by a defense-in-depth strategy that helps protect our cloud services. In addition, Microsoft have continuous, proactive, and reactive threat monitoring and analytics. Microsoft also encrypt customer data at rest and in transit, and encrypt customer data that passes between our datacenters. Every datacenter is constructed, managed, and monitored to protect data from unauthorized access. Microsoft also do not engineer backdoors into our services.

(h) Network Security

Microsoft provide secure communications between your infrastructure and our cloud services and block unauthorized traffic.  Specific platform security features include:

SQL Always Encrypted gives you the tools to encrypt sensitive data, such as credit card numbers and national identification numbers, and stored it in Azure SQL Database or SQL Server databases. SQL Always Encrypted creates data separation between those who own the data (authorized users) and those who manage the data (cloud database operators or administrators).

(i) Multi-factor authentication and Credential Guard technology is built into Windows 10 to help you go beyond passwords and move to more secure forms of authentication, such as PINs and biometrics, using the security capabilities already built into your Windows devices. These technologies help organizations defend against identity compromise and pass-the-hash attacks.

(j) Secure Identity

Microsoft uses stringent identity management and access controls to limit data and systems access to those with a genuine business need (least-privileged). Account password controls enforce password complexity rules and require periodic rotation. Microsoft implement system design and policies to prevent personnel who have authorized access to customer data from using it for purposes beyond those identified for their roles. Security policies set the standards and define procedures for data protection.

(k) Microsoft has invested in systems and controls that automate most Office 365 operations while intentionally limiting Microsoft personnel access to customer content. Humans govern the service, but software operates it. This enables Microsoft to manage Office 365 at scale, and to manage the risks of internal threats to customer content (such as malicious actor or the spear-phishing of a Microsoft engineer).  As an example: By default, Microsoft engineers have no standing administrative privileges and no standing access to customer content in Office 365. A Microsoft engineer may have restricted (and audited) secured access to a customer’s content for a limited amount of time, only when necessary for service operations and only when approved by a member of senior management at Microsoft (and, for customers who are licensed for the Customer Lockbox feature, the customer). Microsoft subcontractors are held to the same security standards as full-time employees. Subcontractors who work in facilities or on equipment controlled by Microsoft must follow our data protection standards, and all other subcontractors must follow data protection standards that are equivalent to our own. Microsoft subcontractor agreements are designed to ensure the safeguarding of customer information, and subcontractors’ work is regularly monitored.

(l) Secure Infrastructure

Operational Security Assurance (OSA) makes Microsoft business cloud services more resilient to attack by decreasing the amount of time needed to prevent, detect, and respond to real and potential Internet-based security threats. It ensures that operational activities follow rigorous security guidelines and validates that these guidelines are followed. When issues arise, a feedback loop helps ensure that future revisions of OSA support mitigations that address them.

(m) Threat Management

Threat management includes protection from both malicious software and attacks against systems and networks. Microsoft products and services have built-in protection features to help defend your data against malware and other types of threats.

Microsoft cloud services help you protect against malware threats in multiple ways. Microsoft Antimalware is built for the cloud, and additional antimalware protections are provided in specific services. Denial-of-service (DoS) attacks can deny access to important resources and result in lost productivity, so Microsoft builds its services to defend against such attacks. Windows server and client operating systems include multiple technologies for protecting against these threats at the local level.

(n) Australian Government Certification

Importantly, Microsoft Azure holds IRAP certification from the Australian Government and “will not Customer Data or derive information from it for any advertising or similar commercial purposes.”

Please find the full version of the Microsoft Online Services Privacy Statement here:

https://www.microsoft.com/en-us/privacystatement/OnlineServices/

 

Additional information can be found at the Microsoft Trust Centre

https://www.microsoft.com/en-us/TrustCenter/default.aspx

 

  1. Service Security Measures

9.1 SSL encryption

(a) Access to Capstone System is via Secure Socket Layer 256 bit encryption. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

(b) SSL allows sensitive information such as credit card numbers, medicare numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server, they can see and use that information.

(c)More specifically, SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

(d) SSL secures millions of peoples’ data on the Internet every day, especially during online transactions or when transmitting confidential information. Internet users have come to associate their online security with the lock icon that comes with an SSL-secured website or green address bar that comes with an extended validation SSL-secured website. SSL-secured websites also begin with https rather than http.

9.2 Two-Step Verification

Two-Step verification is a security feature for the Service that’s designed to prevent anyone else from accessing or using your account, even if they know your password. It requires the Customer to verify identity using a mobile phone before access to the account from a new IP address.  Two-step verification helps protect you by making it more difficult for someone else to sign in to your Service.

9.3 Encrypted Patient Data

Specific patient data and user passwords are encrypted at the database level (MySQL) in Capstone System. Encryption is a modern form of cryptography that allows a user to hide information from others. Encryption uses a complex algorithm called a cipher in order to turn normalized data (plaintext) into a series of seemingly random characters (ciphertext) that is unreadable by those without a special key in which to decrypt it. Those that possess the key can decrypt the data in order to view the plaintext again rather than the random character string of ciphertext.

9.4 IP Restricted Access

IP Restricted Access is provided as a security and privacy feature. Users can be authorised for to access the system from a single IP address or multiple (dynamic). Under the “dynamic” setting, access from a new IP address requires Two-Step Verification to obtain access to your account.

9.5 Staff & Personnel

All Capstone System staff and external contractors are required to sign a detailed confidentiality agreement encompassing the details, procedures, and all sensitive information relating to, but not limited to our patient information.  Access to production environments is also limited to senior staff.  Where possible, screen-share technology is engaged in the viewing of patient data in production systems to prevent local access by Capstone Staff.  Capstone company directors have no operational visibility of the Customer’s data unless required as part of the delivery of the Service to the Customer.

 

  1. Changes to this Privacy Policy

We may change this Privacy Policy from time to time. If we make any changes, we will notify you by revising the version and date at the top of this Privacy Policy and, in some cases, where appropriate we may provide you with additional notice (such as adding a statement to the log-in screen or sending you an email notification). Your continued use of our Services after the revised Policy has become effective indicates that you have read, understood, and agreed to the current version of this Policy.

 

  1. Contact Information

Please contact us with any questions or comments about this Policy, your personal information, our use and disclosure practices, or your consent choices by email at support@capstonesystem.com.au